SIEM Design

Calculating (EPD or Storage Requirements)

Average per day

Peak/burst Max

Devices to Monitor

Networking Devices

Security Devices

Server Operating Systems

Security Applications

Database

Cloud Platforms

User Cases

1- Detecting new VPN connectivity from everywhere but not from china. (mostly done from the events received by the firewalls)
2- NMAP Scan (this is from flows. by default QRadar identify around 400 applications but NMAP is not one of them)
3- Ping Sweep
4- XSS Attacks
5- SQL injection
6- If a new port has opened on the firewall for in/out traffic
7- If FTP site has been accessed from unknown address
8- If tunneled data is detected on the network
9- If RAR files are being continuously uploaded in some fixed partition size format
10-If online messengers are used to chat and transfer files
11-If malicious traffic is seen hitting critical servers of the infra
12-detecting bit torrent or P2P traffic
13-if the firewall has critical policy change (now this differ from one brand to another as you might not find the same naming of the event in all brands the same)
14-If x number of changes have been made on a firewall over x period of time by x user
15-If a new user/admin has been created on critical server or network device or firewall
16-If machine’s time has changed
17-If a remote session was taken to a critical server for more than an hour
18-Network resources have been accessed in non working hours
19-If on leave/ex-employee user credentials have been used in anyway
20-If credentials are sent in clear text
21-Any config change
22-Agent has been tampered
23-If an infected machine receives an SSH log in attempt
24-What recent servers were attacked with an exploit against a recent scan of the same server
25-OS fingerprint event has occurred by an attacker
26-Auditing has been removed, changed or altered
27-Access to any device from other than the admin or authorized users
28-Similar account login from different geographical places
29-Multiple login failures from the same username ip address to the same destination and followed by success
30-taking sessions ssh, telnet etc on non standard port
31-success login to disabled accounts
32-Restart/Shutdown critical servers
33-Hostile email attachments
34-Attacks on internet gateways
35-Track on each new virus detected on the environment

Generic OS

Privileged user login

Failed login by privileged user

Excessive failed logins for a single host

Excessive failed logins for a user across multiple hosts

Deactivated/terminated user login

Same user logged into multiple machines

High rate of configuration changes

High rate of errors by a single host

Logging service stopped

Critical service stopped

Important account lockout

Abnormal OS restart

Modification of networking configuration

Linux Specific

User added to ‘root’ or ‘wheel’ group

‘su’ or ‘sudo’ to root account

Syslog stop/start/restart

Auditd stop/start/restart

Excessive failures to “SU”

Windows Specific

High rate of logins by service account

Privilege escalation by unauthorized user

Virus detected on Windows Server

Important account lockout

Audit log cleared

Malware not removed from a critical asset

Detecting audit policy was altered

Authentication: ‘logined’, ‘login failed’, ‘locked’, ‘unlocked’

The ‘logined’ events provide the ‘from’ IP address, which could be used to check for user credential compromise.

Examples: a user logged in from unexpected site(s) or geographic location, or a user logged in from multiple locations within a specified period of time.

The ‘login failed’ events provide the # of failed attempts, which can be useful for correlation(s)/escalation(s) to alert when a user if approaching (or has surpassed) a tolerated threshold.

The ‘locked’ and ‘unlocked’ events could potentially be tracked to see how long it takes a user to be unlocked (useful for improving business operations/efficiency as well as validating unlock was done by appropriate, authorized, person)

These logs could potentially be checked against a list of permissions, to ensure that a user hasn’t received unexpected higher level privileges. Can also be reviewed based on time to ensure maintenance windows for change are adhered to.

Operation:

The ‘Added User’ and ‘Delete User’ events are the most interesting from this section and should be matched to active (or suspended/removed) accounts.

Technology and Controls

Standard network security tools are used to gain visibility of which data assets are being secured (main objective = detecting threats)

Security processes are semi-automated to defend against threats; Static “normal” network behaviour and context are created to understand the status of risk profiles at a single point in time

Advanced tools are used to anticipate and prepare for unknown threats

The majority of security processes are automated; Leveraging threat intelligence is a business objective; Adaptive network behaviour and context are created to understand the real-time status of risk profiles

Security Operations

Security practices are implemented without formal guidelines

Security practices are embedded in formal guidelines to be used by IT and information security teams Guidelines and security processes are established in all IT, customer facing, operations, and support functions; Incident response procedures are defined

Continuous tests of security operations are conducted, including automated incident response and management with technical, customer facing functions, operations, and support staff

People

No dedicated security role with responsibilities either in the IT or other risk/compliance departments

Information security is addressed within the organisation with at least employee responsible for it IT and information security teams are aware of AND carry out security practices as defined by formal guidelines; Training is received to ensure both teams are kept up to date

Technical, customer facing functions, operations, and support staff receive training and education to keep up to date on information security risks

ReactNative vs. Apache Cordova

Many of you may already be familiar with Apache Cordova as an open-source project that enables web developers to build mobile apps with full access to native APIs and offline support. In a Cordova app, the entire UI executes inside a full-screen WebView where you can leverage the same HTML, CSS and JS frameworks found on the web. But, since the UI is rendered in the WebView, it can be difficult if not impossible to achieve a truly native look and feel.

ReactNative apps are also written with JavaScript – or, more specifically, they are written with the React/JSX framework. But, rather than run in a Webview like Cordova, code runs in a JavaScript engine that’s bundled with the app. ReactNative then invokes native UI components (e.g. UITabBar on iOS and Drawer on Android) via JavaScript. This means that you can create native experiences that aren’t possible with Cordova.

That said, Apache Cordova is presently a more mature and stable technology that lets you write a common UI layer using web technologies, whereas ReactNative is much newer and still requires you to write distinct UI layers. If your app requires native UI and you enjoy the excitement of a rapidly evolving JavaScript platform, then ReactNative might be an option to consider.